Posted
by
Soulskill
on Saturday September 04, 2010 @04:48PM
from the waiting-for-the-right-tuesday dept.

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.

Agreed: only people who don't know any better use MSIE. That and MS fanboys. Yes, they all have their vulnerabilities, but experience (12 years worth) tells me that getting off of IE is the first step to getting rid of malware.

It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face. I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys. I watch Channel 9 and there are some seriously smart people working at this company and yet this one program has done more to harm the company's reputation like no other.

IE's world-wide market share is currently around 80% to 85% of all web users.

Alternate browsers have very poor support for properly rendering the text of most Asian languages, while IE has exceptionally good support, so the use of alternate browsers in places like Japan, China, Thailand, Taiwan and the Koreas is virtually unheard of. These markets, which are already far larger than the American or European markets, are still growing.

Don't let the W3Schools stats confuse you. Those are for a small subset of the comparatively small American market, and thus aren't indicative of the global trends.

would not surprise me if some major corporations intraweb (or whatever the term is) package makes use of this as a feature in their design. As such, Microsoft needs to find a way to block the issue without destroying the workings of said package.